摘要
1引言
目前国内对安全产品进行评测主要采用攻击性测试的方式,这种对系统直接的评测是不完备的.首先,它不能检测未知的脆弱性,对于存在的"后门"程序,在一般情况下是无法通过攻击性测试来发现的,除非测试者事先知道"后门"的存在,通过测试来验证;更重要的是,其结果不能证明产品在多大程度上是安全的,即不能说明该产品/系统的安全功能正确实现的可信度是多少.
The information security evaluation is an important part of information field. It is a general method to execute evaluation to the information security products under the instruction of Common Criteria (CC).A new method of information security evaluation, based on the combination of CC and Systems Security Engineering Capability Maturity Model CSSE-CMM) ,has been proposed in the paper. The basic idea of this method is using the reference of the security system engineer. Based on the experiment of a Target of Evaluation (TOE) in CC.the evaluation result of security assurance by this new method is proved to be more accurate, more comprehensive and more acceptable.
出处
《计算机科学》
CSCD
北大核心
2003年第11期152-154,共3页
Computer Science
基金
国家自然科学基金(No.90104025)
